acm-header
Sign In

Communications of the ACM

Privacy

Cookie Monster


Pacman cookie monster and binary code

Credit: Wallpapers.com

European privacy laws requiring opt-in informed consent for the use of tracking cookies on websites gave rise to the now-ubiquitous cookie consent banner. Subsequently, less stringent laws in the U.S. and elsewhere have led to websites that set cookies from the get-go but display cookie banners that offer opt-outs. The Web is now littered with inscrutable cookie banners that do not seem to provide any functionality, do not deliver on claimed opt-outs,6 use dark patterns to nudge users to consent to all cookies,1 or leave users puzzled. Users respond to these misguided compliance efforts by clicking whatever seems most expedient to get obtrusive cookie banners out of the way, providing consent that is anything but informed.

We have been studying cookie consent banners in my lab at Carnegie Mellon University to gain insights into how banner design impacts user comprehension and what cookies they accept. In one study, we created a retail website and recruited participants to test it out. We randomly assigned more than 1,000 U.S. participants to see one of 12 cookie banners on the website while they were shopping. After they completed the shopping task, we asked them questions about what they had consented to and why, as well as their comprehension of words used in the banner.1

uf1.jpg

Our results demonstrate that when users can just as easily select any of the available cookie options, they accept fewer cookies than when it is easiest to accept all cookies. Similar to previous studies in Europe,9 we found that when a banner sits unobtrusively at the bottom of the screen, many users do not interact with it, and thus end up with the website's defaults (in the U.S., the default is usually to accept all cookies). When we replaced the banner with a persistent "cookie preferences" button that floats in the bottom-right corner of the browser, no participants interacted with the cookie preferences button at all.1 Beyond academic studies, A/B testing of cookie consent banners on company websites demonstrates banner design has a large impact on opt-in rates.8

To help illustrate some of the problems with cookie banners, let's look at cookie banners for four professional organizations of which I am a member.a I trust these organizations and do not believe they are trying to do anything nefarious, yet some of their cookie banners leave me perplexed.

The International Association of Privacy Professionals (IAPP) uses a Consent Management Platform (CMP) called OneTrust to display an unobtrusive cookie banner on the bottom of its website. Adopting one of the most common styles of cookie banners in the U.S, the IAPP banner includes a link to "manage cookies," a large brightly colored "accept button," and an "X" to close the banner (see Figure 1). The text of the banner is typical, and not particularly insightful: "The IAPP uses cookies to give users like yourself the best possible content and experience." Clicking on the "manage cookies" link brings up a panel with two types of cookies already selected, suggesting that if I were to ignore the banner those cookies might be set without me clicking anything. Our study results indicate most visitors to websites with cookie banners such as this one will click the accept button and few will follow the manage-cookies link (users are reluctant to click "manage cookies," whether a button or link, but the link results in the fewest clicks). Users do not know what they will find behind the link and how long it will take them to manage cookies, and thus choose the more expedient accept button to get back to browsing quickly. This design does not comply with regulations requiring it to be just as easy to reject as accept cookies.7 It is also not at all clear what happens if you close the banner by clicking on the X.

f1.jpg
Figure 1. The cookie consent banner from the IAPP website follows a common design pattern with a colorful Accept button and a Manage Cookies link.

The IAPP website also has a "manage cookies" link in the website footer that allows users to revisit their cookie decisions at any time and a cookie notice that enumerates the website's cookies. It is probably rare that a user would look at this, but it may be of particular interest to IAPP members.

The cookie banner at the bottom of the IEEE website does not offer any choices (see Figure 2). It states, "IEEE websites place cookies on your device to give you the best user experience. By using our websites, you agree to the placement of these cookies … ." There is a link to the privacy policy and one button labeled "Accept & Close." I am not aware of any laws that would consider a single button on a cookie banner as informed consent, and thus it does not appear to satisfy any compliance requirements, let alone common sense. The best I can tell, it makes no difference whether I click the button or not, except that clicking it means I get back the bottom inch of my browser window.

f2.jpg
Figure 2. The cookie consent banner on the IEEE website does not offer any choices.

Similarly, a cookie banner at the top of the USENIX website also offers no choices (see Figure 3). It states, "If you use this site, cookies will be stored on your device … ." There is a link to the cookie statement and one button labeled "Got it," which gives the banner a conversational feel but does not mean anything to me except that I should click it to make the banner go away. As with the IEEE banner, I am unsure why it is there.

f3.jpg
Figure 3. The cookie consent banner on the USENIX website does not offer any choices and features a conversational "Got it" button.

The cookie banner at the bottom of the main ACM website is better than most (see Figure 4). The text is clear about why and how ACM uses cookies. ACM offers three clear choice buttons that are equally easy to access and also includes checkboxes to enable three specific types of cookies. In our study, in conditions with in-line options such as these participants were more invested in their consent decision, perhaps because there was no mystery about what they would find behind a manage-preferences link.

f4.jpg
Figure 4. The cookie consent banner on the main ACM website offers three choice buttons and check boxes to enable three specific types of cookies.

A link for more details in the ACM cookie banner leads to a definition of each cookie type and a list of cookies. The detailed information is probably a bit much for most users but there are likely some ACM members who will appreciate this detail. ACM uses the Cookiebot CMP to generate the cookie banner and detailed "cookie declaration." The inclusion of a link to the cookie declaration in the footer of the website allows users to check and change their cookie settings, although a label such as "cookie preferences" might communicate more clearly what is behind the link.

ACM appears to be taking a privacy-protective opt-in approach for all but necessary cookies. As I have browsed the ACM website with the optional cookies turned off, I have not encountered a situation where I thought I might benefit from enabling optional cookies (this has been my experience on most websites where I opt out of cookies). This makes me wonder whether anyone turns on the optional cookies, and if not, why they are there. If those cookies are not actually needed, then ACM could stick with the necessary cookies only and turn off the cookie banner. (Inexplicably, the ACM Digital Library has a different banner than the main ACM website with a useless "Got it!" button.) One problem ACM and other organizations may face is they have components such as videos embedded in their websites that come from third parties that may set cookies the first party has no control over.

In our research we also found commonly used cookie categories are not very clear to users. Taken from a 2012 Cookie Guide published by the International Chamber of Commerce United Kingdom, these common terms include strictly necessary cookies, performance cookies, functionality cookies, and targeting cookies or advertising cookies.4 While the idea of standard cookie categories is great, the category names chosen seem to provoke misconceptions. In our study, only 16% of participants correctly identified the definition of functional cookies in a multiple-choice question and 48% correctly identified the definition of performance cookies. The term "functional" is particularly confusing because it may suggest cookies needed for websites to function, which are actually called "strictly necessary cookies." In reality, functional cookies provide extra personalization functions. Cookiebot uses the terms "preferences" and "statistics" in place of "functional" and "performance," which I suspect may be clearer—but these terms should be tested with users!

Another terminology confusion comes from the meaning of the buttons on cookie consent banners. In Europe, companies are encouraged by the data protection authorities to include "reject all" buttons next to "accept" buttons.5 However, under European law companies are not required to reject strictly necessary cookies, and sites therefore reject all the other cookies but not the strictly necessary cookies when users click the reject-all button. Buttons should be labeled more accurately "accept only necessary" or with the Cookiebot button label "use necessary cookies only."


We also found commonly used cookie categories are not very clear to users.


Organizations should take steps to improve their cookie banners7 or eliminate them altogether where they are not needed. But cookie banners are a suboptimal solution to consent management since they require users to stop and make a decision that usually is not very informed at every website they visit. In their current form they add friction and annoyance without benefiting users.

Web browser plugins are available to block tracking cookies, allowing users to effectively opt-out without having to navigate through choices on cookie banners. These tools work with varying degrees of success, sometimes causing desired website functionality such as product reviews and embedded videos to stop working.

Automated solutions have been proposed that would allow users to set opt-out preferences in their web browser and have them conveyed automatically in the background at every website a user visits. One such solution, "Do Not Track," was implemented in some web browsers more than a decade ago and widely adopted by users, but most websites ignored these automated requests not to engage in tracking.2 More recently, a system called "Global Privacy Control" was introduced to allow users to automatically send requests to not to sell their personal information to all websites they visit. These requests are considered valid under the California Consumer Privacy Act (CCPA) and websites that ignore them may face enforcement actions in California.3 GPC, which is expected to be expanded to other jurisdictions, is a step in the right direction, finally offering users the ability to opt-out of tracking everywhere without requiring them to take steps to opt-out at every website.

In the short term, organizations should clean up their cookie banners so that users can access privacy choices easily and remove banners when there are not any meaningful choices to present. Longer term, we need automated solutions to allow users to make their decisions once and have them respected everywhere. We will also need good user interfaces that help users understand when features are unavailable due to automated decisions and allow them to override in specific cases. However, we will need to be careful to prevent a proliferation of decision override prompts that annoy and manipulate users without offering informed consent or protecting privacy.

Back to Top

References

1. Habib, H. et al. "Okay, whatever": An evaluation of cookie consent interfaces. In Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI '22), (Apr. 29–May 5, 2022, New Orleans, LA); https://doi.org/10.1145/3491102.3501985

2. Hill, J. 'Do Not Track,' the privacy tool used by millions of people, doesn't do anything. Gizmodo (Oct. 2018); https://bit.ly/3PvLbmH

3. Holland, J. Global privacy control popularity grows as legal status up in the air. Bloomberg Law. (Dec. 21, 2021); https://bit.ly/3wxJFYO

4. International Chamber of Commerce UK. 2012. ICC UK Cookie Guide; https://bit.ly/3wm8yri

5. La Commission nationale de l'informatique et des libertés (CNIL). Délibération no 2020-092 du 17 septembre 2020 portant adoption d'une recommandation proposant des modalités pratiques de mise en conformité en cas de recours aux "cookies et autres traceurs."; https://bit.ly/3G1C3C3

6. Matte, C., Bielova, N., and Santos, C. Do cookie banners respect my choice?: Measuring legal compliance of banners from IAB Europe's transparency and consent framework. In Proceedings of the IEEE Symposium on Security and Privacy (SP). IEEE, 2020, 791–809.

7. noyb. Many more cookie banners to go: Second wave of complaints underway. (Mar. 4, 2022); https://bit.ly/38DbI0N

8. Schepelle, C. Despite GDPR: Up to 70% Analytics Opt-in rates—Why Extensive Testing is Worth Every Minute of Effort. 2020; https://bit.ly/3PEH5Jl

9. Utz, C. et al. (Un)informed consent: Studying GDPR consent notices in the field. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). ACM, New York, NY, USA, (2019); 973–990; https://doi.org/10.1145/3319535.3354212

Back to Top

Author

Lorrie Faith Cranor (lorrie@cmu.edu) is Director and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab Security and Privacy Institute and FORE Systems Professor, Computer Science and Engineering & Public Policy, Carnegie Mellon University, Pittsburgh, PA, USA.

Back to Top

Footnotes

a. I am reporting what I observed visiting these websites in April 2022 from a U.S. IP address. Some websites deliver different cookie banners depending on the geographic location of the user.


Copyright held by author.
Request permission to (re)publish from the owner/author

The Digital Library is published by the Association for Computing Machinery. Copyright © 2022 ACM, Inc.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: